Spam Mailing scripts

[crazyaboutlinux]

Hi Guy's

probably you all guy's are aware about the spam scripts e.g dm.cgi, hnc.cgi

i have just found dm.cgi (dark mailer script) on my server but i am not sure whether this script is currently running or not.

so how can i make sure that this script is running our not & if running the how to stop

also i want to list of spam scripts so that i can monitor

Thanks!

Nilesh

[crazyaboutlinux]

Hello,

is there any one @ cPanel forum can help into this ?????

[JawadArshad]

Hi Guy's

probably you all guy's are aware about the spam scripts e.g dm.cgi, hnc.cgi

i have just found dm.cgi (dark mailer script) on my server but i am not sure whether this script is currently running or not.

so how can i make sure that this script is running our not & if running the how to stop

also i want to list of spam scripts so that i can monitor

Thanks!

Nilesh

ps auxw |grep dm.cgi

will let you know if it is running, 'ls -al /proc/PID' of this script will let you know the location where it is running, you can also run 'updatedb' and 'locate dm.cgi'.
Enable SMTP Tweak from "WHM >> Security Center" and if you are running SuPHP/Suexec, check this option in WHM >> Tweak Settings "Prevent the user "nobody" from sending out mail to remote addresses (PHP and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec respectively.)"
These and active monitoring of your server will help you reduce spam generation from your server.

[crazyaboutlinux]

# ps auxw |grep dm.cgi

Result >> root 6613 0.0 0.0 3912 668 pts/0 S+ 10:54 0:00 grep dm.cgi

# locate dm.cgi

result >> /home/tarangi/public_html/cgi-bin/dm.cgi
/home/telemed/1public_html/cgi-bin/dm.cgi

is it running ????

[JawadArshad]

# ps auxw |grep dm.cgi

Result >> root 6613 0.0 0.0 3912 668 pts/0 S+ 10:54 0:00 grep dm.cgi

# locate dm.cgi

result >> /home/tarangi/public_html/cgi-bin/dm.cgi
/home/telemed/1public_html/cgi-bin/dm.cgi

is it running ????

Doesn't seem like running, you can ask your two users 'tarangi' & 'telemed' if they intentionally placed these scripts, you can disable them anytime as root and render them immutable.

[crazyaboutlinux]

Doesn't seem like running

how could you guess

you can disable them anytime as root and render them immutable

how can i disable this ?

[JawadArshad]

how could you guess

ps auxw usually shows multiple incidents, however you need to check logs and actively monitor your server via top and ps commands to be sure.

how can i disable this ?

find the location of the dm.cgi. cd to that folder.

chown root.root dm.cgi
chmod 000 dm.cgi
chattr +i dm.cgi

This way cpanel users will not be able to modify this script. The last command will make the file immutable, to make it modifyable again, run

chattr -i dm.cgi

Do also enable the other two tweaks provided by cPanel, which are very effective in reducing/eliminating spam generation on cPanel servers.